Hello!
On Thu, 21 Oct 2004 18:09:23 +0300
Hugo
Hello!
I finally changed my servers from Windows to Linux (SuSE 9.1). In windows I used to have F-Secure SSH-server (student licence) and I had set it up so that I could access via SFTP all the system (I also had SSH access), but others only their own directory. And what more, the SFTP directories were defined as d:\sftp\%username%. Very clean system with no problems for the users.
Bear with me as I probably do not know how to ask this in a simple way and I do not know the right terms... I'll try to explain what I would like to do (almost the same as in Windows):
With SuSE I had SSH server up and running very fast. So now I have different types of users: 1) Me: local user, remote with SSH and X + SCP/SFTP (unlimited) 2) Family: local users, remote with SFTP limited to users home dir (or some empty dir under it) 3) Remote family: only remote SFTP limited to some empty dir somewhere(not necessarily under home dir)
The current situation with SuSE defaults is that if I create a user and use WinSCP to access the server with that user, they can see just about every file there including other users home dirs. Not good.
I think the problem stems from the fact that when you add a new user using YaST (using all default settings), the default group would be "users" and the permissions on the home directory would be something like this: drwxr-xr-x So, yes, this is *not* good since the group "other" will have read + execute permissions on one's home directory. Also, depending on your needs, putting everyone in the same group (e.g. "users") can be considered "not good" as well. And this is why "other users" can see other users' home directories.
(I thought be default Linux was more secure...)
Well, maybe this is true for the "Personal" or "Professional" versions of *SUSE* Linux ;) (Not sure about the server version since I haven't tried it.) Apparently there's a problem, IMHO, with the current implementation in YaST when adding users using the default settings. Anyway, I'm sure not all linux distros behave the same way. Besides, there's a "fix" for that default behavior of YaST -- see below.
Also, just the complexity of all the stuff that is in the users home dir would confuse many users. They just need to see one empty dir where to transfer files from and to. For those that log in locally, this dir should be under the home dir, like Documents. And the 3rd type of users should only have access to one dir that is completely empty except for their own files.
First question: Can this be done? (Please don't tell me I have to go back to windows server... ) Second: how?
Somebody already mentioned about "chrooting" or "scponly" so let me just mention a completely different approach. First, when adding users, try the "old" way, something like: 1. groupadd newgroup 2. useradd newuser -g newgroup 3. passwd newuser 4. mkdir /home/newuser 5. chown -R newuser:newgroup /home/newuser 6. chmod 700 /home/newuser Now, for the remote (secure) file transfers try this setting: Apache+SSL+WebDAV+acl One advantage here is that, most likely, they are already installed in your linux box. Just edit the conf files, setup permissions (acl), start Apache and everything's done :) Besides, if those who need to transfer files remotely are using Windows, they just need to "Add a Network Place" and no need to install additional programs.
Sorry for not being more exact in defining the problem. Hopefully you got the idea. I'm not new to computers and I'm quite happy to edit config files... except that this time I didn't find what to edit(sshd_conf doesn't seem to have options for limiting users like this).
PS. BTW, just a side note, if you're really concerned about security, perhaps you should try the server version and use SELinux. Or, check some other linux distros that are specifically made for servers. Or, try a BSD flavor of Unix, OpenBSD or NetBSD, anyone? :) But of course, even SUSE Personal can be "hardened" -- it just need a bit more work ;) -- - E - on SUSE 9.1 | blackbox 0.65 | copperwalls was here ;) "The righteous themselves will possess the earth, And they will reside forever upon it." - Psalms 37:29